When you have your Servers Azure Arc enabled, you will work with Azure Arc extensions to work with Azure hybrid features like Defender for Cloud, Azure Monitor, Windows Admin Center and more. For each Azure Arc extension you can get updates, and it’s important to keep them up-to-date for new functionality and security. You have Azure Arc extensions for Windows Servers but also for Linux Servers.
Some of the Azure Arc extensions will automatic upgrade when you have enabled it and some must go manually from the Azure Portal.
More information about Azure Arc extensions you can find them here
In the next steps you will see the Update management of the Azure Arc enabled extensions :
Here I update one extension.
Inside the WindowsOsUpdateExtension
Here you can see that the WindowsOsUpdateExtension is up-to-date
and Status Succeeded
On the right of this screenshot you see Automatic Upgrade and some extensions are enabled, but some are not supported.
That’s why it’s important to check these updates.
Here you can see in the Status that two Azure Arc extensions are updating
And sometimes it failed to update.
But you can see what you can do best with this failed Status.
Here you see the error message and the Tips.
And when you can’t fix it yourself you can make a Support ticket right away.
Here you can see that all the Azure Arc extensions are updated successfully
So I selected all my Azure Arc enabled Servers and updated them all.
Conclusion
With Microsoft Azure Arc enabled Servers you have do some IT management to keep your Azure Arc extensions up-to-date.
I did this without rebooting Servers, just from the Azure Portal update Azure Arc extension.
Here you find more information about Microsoft Azure Arc for Azure Hybrid IT
In earlier MVPLABSerie blogpost I wrote about making your on-premises Servers hybrid with Azure Arc enabled Servers.
In my mvplab.local domain, there is a SQL 2022 Cluster running which also has the Azure Connected Machine Agent version 1.24.
One of the benefits of Azure Arc enabled Servers for SQL is that you can do on-demand SQL Health assessments on your SQL Environment in your On-premises Datacenter. In the following step-by-step guide we will prepare the SQL Cluster nodes.
Here you see that the Azure Connected Machine Agent already is installed.
But it will now add the SQL Extension.
Installation Completed Successfully.
Now we have two Azure Arc enabled SQL Servers connected.
Overview of SQL 2022 Node in Azure Arc.
You can see the Databases running.
Here you can set your Admin from Azure Active Directory.
But we want to do a SQL Assessment, but the Azure Monitoring Agent is still missing.
Here you see that the SQL extension is installed.
Now we will add the Azure Monitor Agent to my existing Log Analytics Workspace.
Click on Add
Select Log Analytics Agent – Azure Arc.
Add your Workspace ID
Add your Workspace Kay
Click on Review + Create
Validation Passed.
Azure Monitoring Agent is Installed.
From here you can do the On-Demand SQL Assessments via
Microsoft Azure Arc enabled SQL Servers.
The SQL Server Assessment focuses on several key pillars, including:
SQL Server configuration
Database design
Security
Performance
Always On
Cluster
Upgrade readiness
Error log analysis
Operational Excellence
Example of SQL Server Assessment results.
On each assessment result you get a recommendation from Microsoft so you can make your SQL environment Health and Secure!
Conclusion
To get these health results of your SQL environment is Awesome 🙂 You are in control of your Azure Hybrid Arc enabled SQL Servers to keep them Healthy and Secure. The following Azure Arc enabled SQL Server blogpost is about Azure Defender for Cloud for your SQL Servers. With these two Azure Arc for SQL Server features you get the best Insights to keep your data as save as possible.
Microsoft Azure Update Management Center (Preview)
Update management center (preview) is a unified service to help manage and govern updates for all your machines. You can monitor Windows and Linux update compliance across your deployments in Azure, on-premises, and on the other cloud platforms from a single dashboard. Using Update management center (preview), you can make updates in real-time or schedule them within a defined maintenance window. Here you can find more information about Azure Update Management Center
In the following step-by-step guide, we will start with Azure Update Management Center (Preview) and Microsoft Azure Arc enabled Windows Servers running on-premises in my mvplab.local domain.
With getting started you can configure the environment.
I start here with my Azure Arc enabled Storage Server.
Updates installed on the Azure Arc Enabled Windows Server.
In Azure Update Management Center Overview Dashboard
you can see that one machine is completed.
For Monitoring you can make your own workbooks.
I like this History, to see if updates are successful or not.
Conclusion
Microsoft Azure Update Management Center is still in Preview but it’s a new way to manage all of your updates on your Servers on-premises with Azure Arc enabled, or on Azure Cloud, but also in other Clouds if you want. One Update Management Center from the Azure Portal is Awesome to work with and gives you control and overview of your update compliance in your datacenter(s). Important: This Great tool is still in preview and not for production environments yet until it’s made GA by Microsoft and you have the full support on this awesome management tool.
In the last blogpost of MVPLABSerie we learned how to add Servers from anywhere to Microsoft Azure Arc services to get the Azure Hybrid benefit with awesome features and Management tools. you can find that blogpost over here:
With Windows Admin Center in the Azure Portal you can manage the Windows Server operating system of your Arc-enabled servers, known as hybrid machines. You can securely manage hybrid machines from anywhere–without needing a VPN, public IP address, or other inbound connectivity to your machine.
Open Servers and open your Azure Arc Enabled Server.
First of all we have to add the right Role assignment.
Click on Access Control on the Left.
Click on Add => Add Role Assignment.
Here you have to add the following Role Assignment. Windows Admin Center Administrator Login. Add this to your account
When the account is done, then go to Windows Admin Center (Preview)
on the left panel. Click then on Setup.
Click on Install
Setup Successfully!
Now you can Connect your Azure Arc Enabled Windows Server.
Here we have my Storage Windows Insider Server in mvplab.local domain.
From here you can do your IT Management with WAC.
Remote PowerShell on Azure Arc enabled Server.
Microsoft Azure Arc Insights Monitoring and Log Analytics
For IT Management and troubleshooting, monitoring and getting Insights is important to act quickly to keep the business and IT solutions running. With Azure Arc Insights you can see with Maps the connections of the Windows Server.
Azure Arc Insights with Map.
See also the Quick Link to Connection details
This is a really cool overview of your connections.
Here you can see if you have a Malicious connection!
Here I do a Query on the Arc Enabled Server mvpstore01 Update Summary.
There are a lot of Log Analytics queries to play with and mark them as your favorite for your Arc enabled Windows Server 😉
In the following blogpost we will have a closer look at Microsoft Azure Auto Manage and Update Management Center for
Microsoft Azure Arc enabled Windows Servers. We will not forget Security with Azure Defender for Cloud coming in the next blogposts.
Conclusion
With Microsoft Azure Arcenabled Servers you get a Microsoft Azure Hybrid environment with Great features and solutions.
Some features are still in preview and not supported for production workloads, but you can test them now like I do with my mvplab.local
This new innovative technology is going fast forward for Azure Hybrid Services to Manage your Windows Servers, Azure Stack HCI Clusters or your Linux virtual Machines. Azure Arc rocks and you can connect Microsoft Azure Anywhere 🙂
Today every company wants to benefit from Cloud to achieve more for the business. Microsoft made Azure Arc to simplify governance and management by delivering a consistent multi-cloud and on-premises management platform.
In the following steps we are going to onboard the Windows Insider Servers and Windows 11 Insider Beta Virtual Machine which are running in mvplab.local domain into the Microsoft Azure Cloud. We will install the Azure Connected Machine Agent via a PowerShell Script in the next steps :
Here you can Choose for the right script.
I choose for Add Multiple Servers with a Service Principle.
Click on Generate Script.
Read the prerequisites access to port 443.
view Outbound URLs link.
Click Next
Select the right Azure Subscription and Resource Group.
Select your Azure Region.
Select Operating System
Select the Connectivity method.
Click on Next
If you don’t have a Azure Service principal, you can create one here.
Click on Create Service principal.
Create your Service Principal
Copy your Client ID and Client Secret !
You need this later.
Choose the Deployment method :
Basic Script or Configuration Manager ( I choose for Basic) Download the Script
I have copied the script to my Domain Controller On-premises here.
Open with PowerShell ISE the OnboardingScript.ps1
and Copy / Paste your
Service Principal Client ID and Secret here in the Script.
Click on save and run the script.
Start PowerShell in Admin modus
Run Script .\OnboardingScript.ps1
Server is connected with Azure 🙂
Here is the Azure Arc Enabled Server, my Domain Controller.
Here I have all the Azure Arc Capabilities available for my Domain Controller.
Azure Hybrid
With the Same Script I added the mvplab.local Windows Insider Servers to Azure
They are all Azure Arc Enabled Servers.
On all Azure Arc enabled Servers is the Azure Connected Machine Agent installed.
Conclusion
In a simple way you can deploy Azure Arc agent on your on-premises Servers to make them Azure Arc Enabled so you can enjoy the Azure Hybrid features from the Cloud. IT management and Security from Azure becomes available for your on-premises Servers.
It’s not only Infrastructure but also Data Services and Application Services what you can use for your Azure Hybrid Solution.
In the next Blogpost we will have a look at the Microsoft Azure Arc Features in my mvplab.local domain.
In my last MVPLAB Serie blogpost, I wrote about setting-up a Microsoft Domain mvplab.local and making a Windows Server Insider Cluster with an iSCSI Target Host Server for Shared iSCSI Storage provisioning. First thing I did was Installing Windows Admin Center for Hybrid IT Management. With WAC we can Manage the Cluster Nodes but also the Cluster, Installing new features via Windows Admin Center like Kubernetes for running Containers and microservices. But first we start with Microsoft Cluster Aware Updating to keep your Cluster up-to-date.
Windows Admin Center Cluster Manager
Installing Cluster Aware Updating
In the following steps you can see how easy it is to install Cluster Aware Updating with Windows Admin Center on your Windows Server Cluster, in my case mvpcl01.mvplab.local
Go to your Windows Server Insider Cluster
In Cluster Manager, go to Updates.
Click on Add Cluster Aware Updating Role
Microsoft Windows Admin Center is the Administrator Management tool to use in your hybrid datacenter. You see how easy it is to configure Cluster Aware Updating (CAU) on your Cluster. When you use Windows Server Core or Azure Stack HCI then Windows Admin Center is really handy instead of command-line tools or PowerShell scripting. here you can find more information about Cluster Aware Updating requirements and Best Practices
Ps. I downloaded the VHDX file for Hyper-V, but you can get also the ISO file here.
Getting started with the Windows Insider Program for Windows Server
Get exclusive access to Windows Server Insider Previews and Remote Server Administration tools and help shape the future of Windows Server in the Windows Insider Program for Windows Server.Register here for the Windows Server Insider programÂ
From here you can build your own local domain and Clusters in your LAB to test all the Features Windows Server 2022 Insider Preview Build 25140 has. Checking new Security features and doing your own pen tests.
Testing security with Kali Linux Rolling distro in WSL 2.0 against Windows Server Insider
in my Lab. And give feedback about features and or issues on Windows Server Insider :
And of course don’t forget Windows Admin Center for your LAB to manage your Servers, Azure Virtual Machines and your Clusters. You can download WAC here
What is new in preview is Windows Admin Center in the Azure Portal with Azure Arc Enabled Servers.
Windows Admin Center in the Azure Portal for Arc Enabled Servers 😉
Manage your Servers from the Cloud.
Conclusion
With Windows Server Insider Builds and Windows Admin Center, you can test and make your own LAB environment together for free. You can give the Microsoft product group feedback to make the product better. In the mean time your are learning new features and security in Windows Server Insider Preview Build and WAC before you go into production 🙂 I say a good win win situation and it’s fun to setup your own hybrid LAB.
Windows Admin Center Version 2110.2 Build 1.3.2204.19002
Windows Admin Center is a customer-deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows PCs. It comes at no additional cost beyond Windows and is ready to use in production. Learn more about Windows Admin Center.
Benefits
Simple and modern management experience
Hybrid capabilities
Integrated toolset
Designed for extensibility
Languages
Chinese (Simplified), Chinese (Traditional), Czech, Dutch (Netherlands), English, French, German, Hungarian, Italian, Japanese, Korean, Polish, Portuguese (Brazil), Portuguese (Portugal), Russian, Spanish, Swedish (Sweden), Turkish
In the following step-by-step guide I will deploy Windows Server 2022 Insider Build 25099 Core Edition with Windows Admin Center tool together with some great features for managing Windows Servers in a secure hybrid way with Microsoft Azure Cloud services. Like Azure Defender for Cloud, Azure Backup Vault, Azure Monitor, Security and more.
So I have Windows Admin Center 2110.2 installed and I have a Windows Server 2022 Hyper-V Server for my Virtual Machines in my MVPLAB Domain.
Now we will deploy the new Windows Server 2022 Insider Preview Build 25099.
In WAC on my Hypervisor in Virtual Machines
When you explore and open your Hyper-V Host and go to Virtual Machines, you can Click on Add and then on New for Creating your Windows Server Insider VM.
Create a New Windows Server Insider VM called StormTrooper01
Here you can configure your new Windows Server 2022 Insider VM with the following :
What kind of Generation VM (Gen 2 Recommended)
The path of your Virtual Machine and the path of your virtual disk(s)
CPU and you can make nested Virtualization too
Memory and use of Dynamic Memory
Network select the Virtual Switch
Network Isolation by VLAN
Storage, Create the size of the Virtual Disk. Choose an ISO or Select an existing VHD(x)
I Created a New 70GB OS Disk
and I want to Install the New Windows Server Insider OS from ISO.
Click on Browse
Here you Browse Default on your Hyper-V Host and select the ISO.
When the Windows Server ISO is selected you can hit Create
We get the Notification that the virtual machine is successfully created.
Only the Virtual Machine is now made with your specs and visible on the Hyper-V Host.
Select the New Virtual Machine (StormTrooper01) click on Power and hit Start.
After you started the VM, you can double click on it and go to Connect. Click on Connect to the Virtual Machine.
Now you are on the console via VM Connect.
Click on Install Now
We are installing Windows Server 2022 Insider Core edition, because we have WAC 😉
Installing Windows Server 2022 Insider Core Preview Build 25099 via Windows Admin Center
Create New Administrator Password.
And here we have Sconfig of the Windows Server 2022 Core.
via Virtual Machine Connect.
Now we can add and connect the New Virtual Machine with Windows Server 2022 Insider Preview Build in Windows Admin Center via IP-Address.
The Next step is to join the Windows Server 2022 Insider to my Domain MVPLAB.
Click on the Top on Edit Computer ID Click on Domain and type your domain name.
Click op Next Add your administrator account for joining the server
Reboot the VM.
Windows Server 2022 Insider Preview Core edition is domain joined.
Now we have the New Microsoft Windows Server 2022 Insider Preview Build 25099 running in Windows Admin Center, we can use all the tooling provided by WAC also in a Azure Hybrid way. Think about Azure Defender for Cloud, Azure Monitor. In Microsoft Windows Admin Center we also have a topic Azure Hybrid Center :
Here you see all the Azure Hybrid benefit features for your Windows Server 2022 Insider.
Microsoft Azure Arc
Azure Backup
Azure File Sync
Azure Site Recovery
Azure Network Adapter
Azure Monitor
Azure Update Management
and More…
Microsoft Azure and the Windows Admin Center Team made the wizards customer friendly and easy to get those Azure Hybrid services for your Windows Server.
When you have your Server running, you want to make backups and Monitoring your Server for management. And after that you want to be in control of your security of your new Server. In the following steps you see some examples on the same Windows Server 2022 Insider Preview Build:
Microsoft Azure Backup via WAC
Click on Azure Backup
Select your Azure Subscription and the Azure Backup Vault.
Select your data and make the schedule.
Enter the Encryption passphrase and Apply.
Here you have Azure Backup Vault working together with WAC.
Azure Defender for Cloud Security
Click op Microsoft Defender for Cloud
Click on Setup
Add the right Azure Subscription and Workspace
Click on Setup.
Configuring Azure Defender for Cloud agent and Subscription.
Azure Defender for Cloud in Windows Admin Center on your Windows Server 2022 Insider Preview Build.
In Windows Admin Center there is also a Security tab for the Windows Server.
Here you can see if your system is supported for this security features 🙂
Enable the supported features and Restart de Virtual Machine.
And here you see my status overview.
Further more you can manage RBAC in Windows Admin Center when you have to work with different kind of users.
You can find RBAC in settings.
Conclusion
Windows Server Insider Core edition and Windows Admin Center are working better together! You have all the tools you need to startup your Windows Server and
manage it with WAC. Windows Admin Center is getting better and better to manage your Hybrid Datacenter and keep you as an Administrator in Control!
So is how I manage my MVPLAB but also for Production workloads I use Windows Admin Center and the Azure Portal together. With Microsoft Azure Arc Services
Azure Hybrid becomes your solution where Windows Admin Center can Support you with making Azure Stack HCI Clusters with Azure Kubernetes for your DevOps environment.
Microsoft Azure Arc allows you to manage the following resource types hosted outside of Azure:
Servers: Manage Windows and Linux physical servers and virtual machines hosted outside of Azure.
Kubernetes clusters: Attach and configure Kubernetes clusters running anywhere, with multiple supported distributions.
Azure data services: Run Azure data services on-premises, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. SQL Managed Instance and PostgreSQL Hyperscale (preview) services are currently available.
SQL Server: Extend Azure services to SQL Server instances hosted outside of Azure.
I have a Kubernetes Cluster enabled with Azure Arc Services in my MVP LAB:
It’s Called Dockkube.
The Kubernetes Cluster is running on-premises and is enabled with Microsoft Azure Arc Services. With that said we get Azure Services available for management in the Cloud in a hybrid way. In the following step by step guide we activate Azure Monitor Insights for Containers on the Azure Arc enabled Kubernetes Cluster.
Container Insights Alerts / Actions on Azure Arc Enabled Kubernetes
Dockkube Insights
When you open Dockkube Azure Arc enabled Kubernetes, you will see on the left Monitoring Insights.
Then you have the options :
What’s New
Cluster
Nodes
Controllers
Containers.
Click on Containers, and you will see all the containers on the Azure Arc enabled kubernetes.
Then you have recommended Alerts (Preview) at the top, when you Click on it you will see all the predefined recommended alerts in preview. I have selected Node CPU % and Enabled the alert. With that you see on the above screenshot there is no action group assigned. That is the next step, click on No Action Group Assigned.
Click on Create a new action group.
Select the Azure Subscription, Resource group and give the
Action Group a name.
Click on Next: Notifications
Here you can select your type of Alert communication.
I have selected the option Email.
Setting the Name : Dock Kube Notify.
The next step you can select an action type :
Automation Runbook
Azure Function
Event Hub
ITSM
Logic App
Secure webhook
Webhook
In my MVP LAB, I don’t need an action but just a notification by email.
You can set a TAG here
Before you create the Alert rule with the action group, you get the option
to test the action group.
Click on Test Action Group.
Select a sample type.
I did Resource health alert
Click on Test.
The test is running.
I’m getting the Alert email in my box from Microsoft Azure.
Test is successful and click on Done.
Click on Create
Select the Action group for me is that DockKube CPU.
Click on Apply to Rule.
Now this Alert is active on my Azure Arc enabled Kubernetes 😉
When you go to Alert Rules, you will see the new Alert rule.
Here you can modify it if necessary.
For example, I want the severity from 3 Information to 2 Warning.
I made a severity 2 Warning.
Don’t forget to click on Save at the left top.
More Container Insights information on Microsoft docs :
Microsoft Azure Arc enabled kubernetes is Awesome for management in a hybrid way. I just showed you the power of Alert rules with action groups from the Azure Cloud to get Container Insights. Of course there are more Azure features for your Azure Arc enabled Kubernetes like Security (Preview) Kubernetes Resources, Policies, Gitops and more. Making your own dashboard with Container Insight information. Go for hybrid IT Management with Azure Arc enabled Kubernetes!
Hope you started year 2022 in Good Health in a difficult pandemic time.
Starting 2022 by asking yourself, how is your Security by Design doing in 2022
Your Security is one of the most important aspects of any architecture for your Business.
It provides confidentiality, integrity, and availability assurances against attacks and abuse of your valuable data and systems. Losing these assurances can negatively impact your business operations and revenue, and your organization’s reputation.
Here you find Awesome information about Applying security principles to your architecture to protect against attacks on your data and systems:
Security recommendations that are in private preview
Programmatic remediation tools for security recommendations
PowerShell scripts for programmatic management
Azure Policy custom definitions for at-scale management of Microsoft Defender for Cloud
Logic App templates that work with Defender for Cloud’s Logic App connectors (to automate response to Security alerts and recommendations)
Logic App templates that help you run regular tasks or reports within the scope of Microsoft Defender for Cloud
Custom workbooks to visualize Defender for Cloud data
Become a Microsoft Defender for Cloud Ninja
Security and Learning is a ongoing process, I always say Learning on the Job 😉 is important to keep Up-to-Date every day of the week. Microsoft Tech Community platform and Microsoft Learning can support you to get the knowledge.
Microsoft and the community has a lot of good security information to start with for your Data and Systems to keep your business solution as save as possible. Here they write New blogposts for the community about Defender for Cloud
Keep in Mind “Security is only as strong as the weakest component in the Chain”
So keep your Security up-to-date and do assessments on vulnerabilities to keep your data and systems secure. Monitoring => Alerting => Remediation is 24/7/365 Process with Security people in the business.